Technique to authenticate in a mobile application using near-field communication

ABSTRACT

A method for operating a mobile communication appliance enabled for Near Field Communication (NFC) has steps for (a) positioning the communication appliance and an article associated with a person, the article enabled for NFC and storing a unique identifier, within a near-field threshold; (b) acquiring by the communication appliance through NFC the unique digital identifier from the article; and (c) using the identifier to select and initiate a particular functionality of the communication appliance.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is in the technical area of telecommunication, andrelates more particularly to authentication of persons to mobileapplications and agents.

2. Description of Related Art

It is well-known in the digital communication arts that it is oftennecessary for a caller, upon reaching, for example, an agent in a callcenter, to provide some input to authenticate the caller as the personhe or she claims to be. One notoriously well known means ofaccomplishing this need is by the caller entering a password known tothe agent or to the digital equipment available to the agent. Inaddition an agent may require other information presumably known only tothe proper person, to aid in authorization. Authentication is alsonecessary in logging into an account on a web page, such as an on-linebanking account through a web page.

It is also known that mobile devices, by virtue of increasing computingpower and ability to send and receive data, are becoming more and moreuseful in areas such as accessing accounts and web pages, whereauthentication will typically be required.

Entering a password is a process, using either a mobile telephone, aniPad or other pad device, or other known mobile devices, as well as withcomputer appliances with Internet access, that may take at least eightto ten seconds. Moreover, the process is error prone. The caller mayinadvertently type or enunciate a wrong character. Passwords, moreover,are secure in part related to the complexity of the password.

What is needed in the art is a procedure for authentication, especiallyusing mobile devices, that is much quicker, less error prone, and moresecure.

BRIEF SUMMARY OF THE INVENTION

In one embodiment of the present invention a method for authenticating acardholder in an application executing on a mobile computerizedappliance is provided, comprising the steps of (a) placing a credit cardissued by a financial institution and associated with a cardholder, thecredit card enabled for near-field communication (NFC), within thenear-field threshold to a mobile communication appliance also enabledfor NFC; (b) acquiring a unique digital identifier from the card by NFC;(c) executing software by the computerized appliance, using theidentifier to select and launch an application enabling communication bythe communication appliance with a first Internet server hosted by thefinancial institution; and (d) communicating the unique identifier tothe server hosted by the financial institution, authorizing the user ofthe communication device to access and manipulate data in an accountbelonging to the cardholder.

Also in one embodiment in step (b) data additional to the uniqueidentifier is acquired. Also in one embodiment the communicationappliance may be an Android™ operated cellular telephone. There may bean additional step (e) accessing and manipulating data in the account bythe person operating the communication appliance.

In another embodiment the communication appliance opens a link to a datarepository at a second server, using the unique identifier to locate andacquire further data regarding the cardholder, all or a part of which iscommunicated by the communication appliance to the first server. In yetanother embodiment the cardholder establishes a link to the first servervia an appliance that is not NFC enabled, and a link through the mobilecomputerized appliance that is NFC enabled to the first server as well,and the first server authorizes the cardholder and enables thecardholder to access and manipulate data in the financial account fromthe appliance that is not NFC enabled.

There may be in the method a step (f) initiating a server function bythe cardholder by input at the mobile communication appliance,initiating a transaction from the communication appliance to acall-center hosted by the financial institution, resulting in a dialoguebetween the cardholder and an agent of the financial institution at thecall center.

In another aspect of the invention a system for accessing andmanipulating data in a financial account belonging to a cardholder andmaintained at a first Internet-connected server is provided, comprisinga credit card associated with the cardholder and enabled for Near FieldCommunication (NFC), the credit card storing a unique identifier, amobile communication appliance also NFC enabled, executing software froma non-transitory physical medium, wherein bringing the credit cardwithin NFC threshold distance to the communication appliance enables theappliance to acquire the unique identifier, which it uses to launch anapplication to link to the first Internet-connected server andauthenticate the cardholder, enabling the cardholder to access andmanipulate data in the financial account.

In one embodiment of the system data additional to the unique identifieris acquired from the credit card by the communication appliance throughNFC. In another embodiment the communication appliance may be anAndroid™ operated cellular telephone. In yet another embodiment thecardholder accesses and manipulates data in the financial account.

In yet another embodiment of the system of the invention thecommunication appliance opens a link to a data repository at a secondserver, using the unique identifier to locate and acquire further dataregarding the cardholder, all or a part of which is communicated by thecommunication appliance to the first server. In yet another embodimentthe cardholder establishes a link to the first server via an appliancethat is not NFC enabled, and a link through the mobile computerizedappliance that is NFC enabled to the first server as well, and the firstserver authorized the cardholder and enables the cardholder to accessand manipulate data in the financial account from the appliance that isnot NFC enabled. In still another embodiment the cardholder initiates afunction at the first server by input at the mobile appliance, whichinitiates a transaction from the communication appliance to acall-center hosted by the financial institution, resulting in a dialoguebetween the cardholder and an agent of the financial institution at thecall center.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 is an architectural diagram illustrating an arrangement in anembodiment of the present invention.

FIG. 2 illustrates functionality in an embodiment of the invention.

FIG. 3 illustrates functionality in another embodiment of the invention

FIG. 4 illustrates functionality and practice in yet another embodimentof the invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 is an architectural overview of a networked system in anembodiment of the present invention. This exemplary system comprises awide-area-network (WAN) 102, a public-switched telephone network (PSTN)101, and a wireless carrier network (WN) 103. PSTN 101 may be anypublicly switched telephone network. WAN 102 may be a corporate orpublic WAN including the Internet network. Wireless network 103 may beany wireless carrier network and is typically a cellular telephonynetwork.

WAN 102 is the Internet network in a preferred embodiment because of itshigh public access characteristic, and is referred to herein as Internet102. Internet 102 is further exemplified by a network backbone 104representing all of the lines, equipment, and connection points thatmake up the Internet as a whole. Therefore, there are no geographiclimitations to the practice of the present invention.

Network backbone 104 in this example supports a web server 109, whichmay be hosted by an enterprise engaged in practice of the presentinvention. Web server 109 has access to a physical, non transitorydigital medium storing data and software required to enable function asa web server. In this example, a website 110 is illustrated as onefunction of server 109. Website 110 represents any website of anenterprise through which customers may communicate with enterpriseapplications and/or enterprise representatives for the purpose ofengaging in products and services. In one embodiment the enterprise maybe a financial institution, such as a bank, and the website may provideon-line banking services to customers.

A call center 111 is illustrated in this example, built upon a localarea network (LAN) 118 supporting various equipment and facilities forpracticing call-center interaction processing. LAN 118 supports aplurality of call center agents dedicated to services for the host ofthe call center, which may be, in one embodiment, the bankinginstitution that may be the host of website 110. Each call center agentin this example operates from an agent station 116 (1-n). Each agentstation 116 (1-n) includes a LAN-connected computing appliance and aswitch-connected telephone for illustrative purposes only, as the exactequipment types may vary. The telephone capability at agent stations maybe provided through the LAN as digital telephony, as shown in thisexample, or the telephones may be connected by Destination Number linesto a PSTN switch connected, as is switch 131, to PSTN 101.

PSTN 101 includes a network-level telephone switch 105, which may be anautomated call distributor (ACD) or a private branch exchange (PBX), orsome other type of telephony switching facility without departing fromthe spirit and scope of the present invention. Telephone switch 105 isconnected to a central office telephone switch 131 associated with thecall center via a telephony trunk 117. Switch 131 represents the lasthop for callers before being routed to agent stations 116 (1-n) viatelephone. Switch 105 in PSTN 101 has connection to network backbone 104of the Internet network through a telephone gateway 108. Gateway 108 isadapted by software executing from a physical medium to facilitate crossconversion of telephony traffic from the PSTN to the Internet networkand from the Internet over the PSTN network.

A variety of consumer appliances 115 (1-4) are illustrated in thisexample and are meant to include any computing appliances that may beused to access networks 102, 101, and 103. Computing appliance 115 (1)is a desktop computing appliance with a digital telephone and SWexecuting to enable the telephone. In an alternative embodiment thetelephone may be a separate PSTN telephone connected by PSTN land-lineto PSTN network 101.

A consumer operating equipment 115 (1) connects with computer 115 (1) toInternet 102 via PSTN land line 107, and an Internet service provider(ISP) 106, in this instance through a gateway 108. The methods ofconnection may vary upon the equipment used and the available technicalavenues for accessing the Internet. Cable modem, telephone modem,satellite, digital services line (DSL), broadband, and WiFi are justsome of the available connection methods that may be used to gain accessto Internet 102.

Consumer appliances 115 (2), 115 (3) and 115 (4) are wirelessly enabledto connect to network backbone 104 via a cell tower 112, a transceiver113, and a wireless multimedia gateway (WGW) 114 for bridgingcommunications between wireless network 103 and Internet 102. Consumerappliance 115 (2) is a Laptop computer and 115 (3) is a cellulartelephone, such as an iPhone or an Android telephone. Computingappliance 115 (4) is an iPad type device. It may be assumed in thisexample, that each of the users operating appliances 115 (1-4) mayinitiate and manage telephone calls, multi-media transactions, emails,and web-browsing sessions.

LAN 118 in call center 111 supports a routing server 122 connected toInternet backbone 104 by way of an Internet access line. Routing server122 includes a physical digital medium 124 that stores all of the dataand software required to enable interaction routing. All transactionrequests made by users from appliances 115 (1-4) in communication withwebsite 110 are sent to routing server 122 for distribution to agentsoperating at agent stations 116 (1-n), managed by routing software thatmay employ many intelligent routing functions. Telephone switch 131 isenhanced for intelligent routing of voice interactions via a computertelephony integration (CTI) processor 120. CTI processor 120 isconnected to switch 131 via a CTI link. CTI processor 120 providesintelligent control over switch 131. Telephone switch 131 also has aninteractive voice response (IVR) capability via an IVR 119.

LAN 118 supports an application server 121 that may be employed forserving voice applications to callers. CTI processor 120 is connected toLAN 118 enabling service to the switch and other maintenance through CTIfunctionality. LAN 118 supports a messaging server 125 adapted with aphysical digital medium containing all of the required software and datato enable function as a message server or router. LAN 118 also supportsa statistics server 126. Stat server 126 includes a physical digitalmedium containing all of the software and data required to enablefunction as a statistics server. Stat server 126 has connection to arepository 127 adapted to contain call center statistics, including, forexample, profiles regarding customers and clients of call center 111,and may also store profiles and statistics regarding agents associatedwith the call center.

In one embodiment of the present invention, illustrated by FIG. 2,server 109 in Internet 102 is hosted by a bank, such as, for example,Bank of America™, and as an example of practice of the invention, acustomer of the bank, who has at least one account with the bank, mayinitiate a transaction from telephone 115 (3) to web server 109 toaccess her account, to, for example, check the balance in her checkingaccount. In this example the customer has a Bank Card, such as adebit/check card or credit card 202. In many instances the debit cardcan also be used as a credit card.

Except for the presence and use of bank card 202, the other elementsrepresented in FIG. 2 are all illustrated in FIG. 1 in context with allof the other interconnected equipment in the architecture illustrated inFIG. 1. Much has been left out of FIG. 2 for the sake of simplicity, butall is illustrated in FIG. 1.

In this embodiment telephone 115 (3) is running the Android operatingsystem, and is enabled for Near Field Communication (NFC), such as, forexample, the Samsung Galaxy Note Android. The telephone also has anapplication represented by SW 201, which is an application for accessingthe customer's bank account via server 109, and displaying aninteractive interface through which the customer may accomplish theinstant purpose, such as determining the current account balance.Normally the customer, having a telephone not capable of practicing theinstant invention, would invoke the application on the telephone, andlog in with username and password to gain access to her account.

It is further known that there is an emerging trend of Near FieldCommunication (NFC) capability being embedded into credit cards andother common enterprise-issued cards to customers of enterprises likebanks, for example. The common application is to make payments atPoint-of-Sale by tapping the credit card to the telephone. Thecommunication to the computerized device at the point of sale is thecredit-card information, similar to that which would be provided byswiping the card and entering a PIN.

In the present invention the card, in one embodiment, has a digitalidentifier unique to the cardholder, which SW 201, executing on thetelephone, may access by NFC to identify the customer and the card.Accessing the unique identifier in the card invokes the correctapplication 201 and logs the customer seamlessly into the application.There is no need for the customer to find and invoke the application, orto enter a username and password.

In another embodiment additional data and information may be embedded incard 202 that may be useful to the bank when the customer uses theNFC-enabled card to invoke the bank's application, and this additionalinformation might be used for a variety of purposes.

In yet another embodiment, illustrated by FIG. 3, the bank has a callcenter 111 which exists to serve the bank's customers primarily throughcommunication with agents at agent stations 116. Again the connectivityof the call center to the bank's server in the Internet and tocustomer's computerized appliances is not shown, but may be ascertainedby reference to FIG. 1. The call center has stat server 126, describedbriefly above with access to a data repository 127 storing customerprofiles. In this embodiment initiating with card to appliance 115 (3)invokes application 201 and the application accesses Stat Server 126 forinformation about the customer from repository 127, which is storedassociated with the unique customer code. The information may be used ina variety of ways.

It is well-known that a customer, interacting with a web site, such asan on-line banking site, may accomplish much, but at some point desireto communicate with an agent at the bank's call center. In current artthis typically happens through a link in the web site which connects thecustomer to the call center, either redirecting the customer, or openinga new path. The customer may be connected first to an IVR such as IVR119 at the call center, which will then try, through voice applicationfunctions, to identify the customer and the customer's purpose. Thisrequires re-entry of username and password, and often othercommunication as well. In the case where the customer is connected to anagent at the call center, either immediately or after interaction withthe IVR, the answering agent may require yet further interaction toauthorize certain transactions or access to certain information.

In an embodiment of the present invention the unique identifier andoptionally other information acquired from the NFC-enabled card 202 atthe beginning of the process interacts with SW at the IVR, or with Statserver 126, and the customer is authenticated without need for all ofthe manual operations needed in the conventional sense. It is necessaryfor this functionality that the Stat Server, the IVR, or perhaps the CTIserver 120 acting as a router, may execute SW that looks for theidentifier and performs the necessary authentication, which may now betransparent to both the agents and the customer.

In yet another embodiment of the invention illustrated by FIG. 4 acustomer has invoked an Internet connection for a computer 155 (1)through land-line 107 (see FIG. 1). This example also applies to anInternet connection invoked through, for example a WiFi network to theInternet from laptop 115 (2) or an iPad device 115 (4), none of which inthis example are enabled for NFC. In FIG. 4 computer appliance 115 (1)should be thought of as any one of the appliances not enabled for NFC.

In this embodiment the customer, having invoked the application onappliance 115 (1) accessing the bank's web site on server 109 also hashis or her NFC enabled telephone 115 (3) at hand and NFC-enabled card202. The customer taps the card to the telephone, which invokes thetelephone application as described above, acquires the unique identifierand optionally other data, and links to the same web site on server 109,where the SW at the server recognizes the customer is connected byappliance 115 (1) as well, and authenticates the customer transparentlyfor the connection to appliance 115(1). In this way, the customer canuse the unique ability of the NFC-enabled card and NFC-enabled telephoneto authenticate using a variety of appliances that are not NFC enabled.

In one embodiment a third-party enterprise that, for example, providescall center hardware and software to banks and other businesses mayprovide the SW to operate on the NFC enabled telephones, as well as SWoperating on web site 109, and on various servers in the call centerassociated with the businesses. The third party provider may providecustom features for different ones of such businesses.

An important feature of the present invention in many embodiments is anability to launch applications quickly and seamlessly on a mobiledevice, and to authenticate the user of the device in the application.It is important therefore, that the new process be at least as secure asthe Username/Password process that is replaced.

In embodiments of the invention, at the very first use the cardholderhas to engage the NFC card to the phone and the app that is launchedwill prompt for a password. The password is not stored on the card.It—that is not stored on the NFC card at all, but is something the userknows and has registered with the enterprise associated with the NFCcard, such as a bank as described in embodiments above. It is necessaryto do this only the first time the cardholder uses the technique of theinvention, hence the security is what one has (the NFC card) and whatone knows (the password). Thereafter, the NFC card is all that is neededto log in—if the card gets stolen it would not work as one would need toknow the password to use it on another smartphone. If the card and thephone get stolen together, then a call to the enterprise is required todeactivate the password, card etc (as is done when any credit card isstolen).

This is only a potential security issue if the app is configured to onlyrequire a password on the very first time logging into the app from aspecific smartphone. IN some embodiments additional layers of securityare added, such as, for example, like location. In a location securityembodiment the location of the telephone is necessary, limited tocertain locations, so approved location is necessary to be able to login the application. If a different location is a circumstance, then aone-time user name and password is required. In some other embodiments aPIN is required with every use of the NFC-enabled card. A four characterPIN is still quicker and easier than a username+password. In still otherembodiments other security measures may be implemented. For example, insome cases a card may be paired with a telephone number for the mobiledevice, or an International Mobile Equipment Identity (IMEI). Othersecurity requirements and procedures, such as biometric input andauthentication may also be used.

It is not required that an NFC-enabled card used in practice of thepresent invention be issued by a financial institution, or that anapplication booted by proximity of an NFC-enabled card to a mobiledevice be an account held by a user at a bank or other financialinstitution. Those descriptions above are a use case and arenon-limiting examples. An NFC-enabled card, or an enabled dongle of somesort, may be used to boot an application on a mobile device, and toauthenticate the user in a variety if situations, such as, for example,entry into any web-enabled site that requires log-in. The essentialinnovation and invention is initiating an action other than thewell-known payment process at point-of-sale. One might even have, forexample, a belt or other item that might have several NFC-enableddongles at different positions sufficiently separated such that a usermight touch the phone to one or another to open the contact list on amobile phone and call a particular party associated with that particulardongle.

It will be apparent to the skilled person that there are only a fewenterprises presently providing NFC-enabled cards, and none of these areenabled with a unique identifier such as is described above for invokingan application and authenticating a user. Further there is no operatingsoftware with operation as described above for SW 201. More and moreappliances, such as Smart Phones and iPad devices are expected, however,to be NFC enabled in the near future, and these new devices, or newmodels of existing devices, become useful in embodiments of the presentinvention.

It will further be apparent to the skilled person that the hardware andsoftware, and functionality described above in various embodiments isexemplary, and there are many equivalent ways that architecture may beimplemented and functionality provided that will be within the scope ofthe present invention. The breadth of the invention is determined by theclaims that follow.

The invention claimed is:
 1. A method for operating a communicationappliance enabled for Near Field Communication (NFC), comprising:acquiring by the communication appliance through NFC a unique digitalidentifier from an article, wherein the communication appliance and thearticle are associated with a person, the article being enabled for NFCand storing the unique identifier, wherein the unique digital identifieris acquired in response to the communication appliance and the articlebeing positioned within a near-field threshold; and selecting andinitiating a particular functionality of the communication appliancebased on the identifier, wherein the particular functionality islaunching an application linking to an Internet-connected first server,and authenticating the person in the application to interact withfunctionality of the Internet-connected first server requiringauthentication, and wherein a first link is established to the firstserver via an appliance that is not NFC enabled, and a second link tothe first server through the communication appliance that is NFCenabled, based on the NFC-enabled article, and the first serverauthorizes the person and enables the person to access and manipulatefunctionality of the first server that requires authentication from theappliance that is not NFC enabled.
 2. The method of claim 1, wherein thecommunication appliance is a mobile device configured for telephonycommunication.
 3. The method of claim 1, wherein the article is anNFC-enabled card issued by an enterprise associated with the firstserver.
 4. The method of claim 1, wherein the appliance that is not NFCenabled is a computer device.
 5. The method of claim 1, wherein thefunctionality of the first server includes retrieving personal data ofthe person.
 6. The method of claim 5, wherein the personal data includesfinancial account information for the person.
 7. The method of claim 1,wherein the first server authorizes the person and enables the person toaccess and manipulate functionality from the appliance that is not NFCenabled, in response to establishing the second link.
 8. The method ofclaim 1, wherein the communication appliance is configured tocommunicate the unique identifier to the first server.
 9. Acommunication system comprising: an article enabled for Near FieldCommunication (NFC) and storing a unique identifier associated with aperson; a communication appliance that is NFC enabled, executingsoftware from a non-transitory physical medium; wherein thecommunication appliance is configured to acquire the unique identifierbased on the article and communication appliance being brought within anNFC threshold distance, wherein the communication appliance is furtherconfigured to select and initiate specific functionality based on theacquired unique identifier wherein the specific functionality islaunching an application linking to an Internet-connected first server,and authenticating the person in the application to interact withfunctionality of the Internet-connected first server requiringauthentication, and wherein a first link is configured to be establishedto the first server via an appliance that is not NFC enabled, and asecond link to the first server through the communication appliance thatis NFC enabled, based on the NFC-enabled article, and the first serverauthorizes the person and enables the person to access and manipulatefunctionality of the first server that requires authentication from theappliance that is not NFC enabled.
 10. The system of claim 9, whereinthe communication appliance is a mobile device configured for telephonycommunication, and the article is an NFC-enabled card issued by anenterprise associated with the first server.
 11. The system of claim 9,wherein the article is an NFC-enabled card issued by an enterpriseassociated with the first server.
 12. The system of claim 9, wherein theappliance that is not NFC enabled is a computer device.
 13. The systemof claim 9, wherein the functionality of the first server includesretrieving personal data of the person.
 14. The system of claim 13,wherein the personal data includes financial account information for theperson.
 15. The system of claim 9, wherein the first server authorizesthe person and enables the person to access and manipulate functionalityfrom the appliance that is not NFC enabled, in response to establishingthe second link.
 16. The system of claim 9, wherein the communicationappliance is configured to communicate the unique identifier to thefirst server.